CloudGuard WAF
  • Documentation Overview
  • What is CloudGuard WAF?
  • Getting started
    • Prepare key information
    • Log in to the Infinity Portal
    • Protect a Web Application / API
    • Deploy Enforcement Point
      • Gateway/Virtual Machine
        • AWS
          • Store Certificates in AWS
          • Store certificates on Gateway
        • Azure
          • Store Certificates in Azure
          • Store Certificates on Gateway
        • VMware
          • Store Certificates on Gateway
          • Configure networking in VMware Deployments
      • WAF as a Service
        • Certificates Managed by Check Point
        • Bring Your Own Certificate
      • Kubernetes Ingress
        • Kong Application Security
        • Istio Application Security
      • Docker
        • Single Docker
          • Deployment using 'docker' command
            • Store Certificates Locally on Docker
          • Deployment in Azure App Services
        • Dual Docker: NGINX/Kong/Envoy + Security Agent
      • Linux / NGINX / Kong
    • Monitor Events
  • Concepts
    • Gateways & Agents
    • Management & Automation
    • Security Practices
    • Contextual Machine Learning
  • Additional Security Engines
    • Anti-Bot
    • API Protection
      • API Discovery
      • Track API Discovery Learning
      • Enforce API Schema
    • File Security
    • Intrusion Prevention System (IPS)
    • Rate Limit
    • Snort Rules
  • SETUP INSTRUCTIONS
    • Setup Custom Rules and Exceptions
    • Setup Web User Response Pages
    • Setup Log Triggers
    • Setup Report Triggers
    • Setup Notification Triggers
    • Setup Behavior Upon Failure
    • Setup Agent Upgrade Schedule
  • HOW TO
    • Edit Web Application/API Settings
    • Edit Reverse Proxy Advanced Settings for a Web Asset
    • Protect an existing production site with CloudGuard WAF's Gateway
    • View Policy of all your Web Applications/APIs
    • Add Data Loss Prevention (DLP) rules
    • Configure Contextual Machine Learning for Best Accuracy
    • Track Agent Status
    • Track Learning and Move from Learn/Detect to Prevent
    • Rotate profile authentication token
    • Upgrade your Reverse Proxy when a Linux/NGINX agent is installed
    • Use Terraform to Manage CloudGuard WAF
    • Authorize Temporary Access for Check Point Support
    • Restrict Access to Backend Servers from CloudGuard WAF as a Service IPs Only
  • Troubleshooting
    • WAF Gateway / Virtual Machine
      • Azure
        • "Unable to find a tag containing the vault's name in the VMSS" Error
        • How To: Configure Key Vault for a Single Gateway
      • NGINX Error: Upstream Sent Too Big Header While Reading Response Header from Upstream
      • How To: Compare Between the Gateway's Certificate and the Upstream Certificate
    • Linux
      • SELinux: Checking Status and Disabling
    • WAF as a Service
      • Certificate Validation Failed: Adjusting CAA Record
      • How To: Redirect a Root Domain to a Subdomain Protected by WAF SaaS
      • How To: Extend Connection Timeout to Upstream
      • How To: Update Expired Certificates
  • references
    • Agent CLI
    • Management API
    • Event Query Language
    • Writing Snort Signatures
    • Events/Logs Schema
    • CVE-2022-3786 and CVE-2022-3602: OpenSSL X.509 Email Address Buffer Overflows (HIGH)
    • CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974: Ingress NGINX Controller RCE (Critical)
  • Resources
    • GitHub
    • Docker Hub
Powered by GitBook
On this page
  • Terraform Resources
  • API Keys For Terraform Provider Access
  • Using the Terraform Provider
  • Terraform Input Variables for the "inext" provider
  • Enforce Tool
  • Enforce Tool Download
  • Enforce Tool Usage
  • Example Terraform Files
  • Download
  • Usage

Was this helpful?

  1. HOW TO

Use Terraform to Manage CloudGuard WAF

PreviousUpgrade your Reverse Proxy when a Linux/NGINX agent is installedNextAuthorize Temporary Access for Check Point Support

Last updated 3 months ago

Was this helpful?

The CloudGuard WAF Terraform provider allows configuration of all aspects of CloudGuard WAF using Infrastructure as Code (IaC).

Terraform uses the concept of Providers to provide an open-source feature-rich plugin system. Providers adopt specific conventions programmatically that allow them to express the CRUD lifecycle of individual resources and how to maintain and verify the state of existing deployed resources.

The deployment option for WAF SaaS is currently not available. We are actively working on developing a Terraform provider for our WAF SaaS deployment option and will notify our users once it becomes available.

Terraform Resources

The terraform files and usage examples are available in 2 locations:

  1. The .

  2. The origin for the Terraform registry.

API Keys For Terraform Provider Access

Step 1: Get API Keys

Follow the "Create an API Key" action in the .

We strongly recommend that you store the credentials in a secured and authenticated location, like HashiCorp's vault or other vault.

Step 2: Use the API Keys in Terraform Provider

The API Keys' credentials can be used by the provider in 3 different methods:

  1. Saved in the environment variables INEXT_CLIENT_ID and INEXT_ACCESS_KEY.

  2. (Less secure) Explicitly set within the terraform file using the client_id and access_key fields in the provider block, as seen in the example tf files in this documentation.

  3. Terraform input variables.

When keys are stored in a vault, make sure to have a protected process to inject the keys from the vault into Terraform Provider, without additional systems being able to access them.

Using the Terraform Provider

A terraform file includes a list of the terraform providers to use. Make sure the following is added to the beginning of each of your terraform files:

terraform {
  required_providers {
    inext = {
      version = "~> 1.0.0"
      source  = "CheckPointSW/infinity-next"
    }
  }
}

provider "inext" {
  region = "<DATA_REGION>"
  # client_id = "<CLIENT_ID>" # optional method for sending API Keys
  # access_key = "<ACCESS_KEY>" # optional method for sending API Keys
}

Terraform Input Variables for the "inext" provider

Region

According to your tenant's data residency as can be seen in Global Settings->Account Settings.

Data Residency
Value for "region" parameter

Ireland

eu

United States

us

API Keys

client_id and access_key - optional variables, as explained above, providing another method of sending the API keys.

Enforce Tool

A unique aspect to using CloudGuard WAF is the "Enforce" action.

Terraform is used to configure the system and create a configuration state that can be changed when required. However, "Enforce" is not a state but a single action that tells CloudGuard WAF to pass the configured security to the agents.

In essence, all changes that are made when running terraform apply are done under a session of the configured API key. In CloudGuard WAF, each session must be published to be able to enforce your configured policies on your assets. Think of it as committing your changes to be able to make a release.

It is normally performed after every configuration change, but it is not an inherent action to configuration changes. For this reason there is a separate tool provided to processes to enforce the policy configuration.

Enforce Tool Download

This repository includes a CLI utility for this exact use case, which includes 2 commands: publish and enforce.

Enforce Tool Usage

There are three options to pass the client ID, access key and region when publishing or enforcing a policy using the CLI:

  1. Option 1: Set the environment variables: INEXT_REGION, INEXT_CLIENT_ID and INEXT_ACCESS_KEY and run inext <command> Using this method right after terraform apply will use the same environment variables that were already injected in the method of your choosing.

  2. Option 2: Set credentials using command line parameters--client-id (shorthand -c) for client ID,--access-key (shorthand -k) for the access key, and -r for region.

    inext <command> -c $INEXT_CLIENT_ID -k $INEXT_ACCESS_KEY -r us

  3. Option 3: Create a yaml file at ~/.inext.yaml with the following content:

    client-id: <INEXT_CLIENT_ID>
    access-key: <INEXT_ACCESS_KEY>
    region: eu

    Run inext <command>and the CLI would use the file ~/.inext.yaml by default, you could also configure a different path for this configuration file using: inext --config <path> enforce

Example Terraform Files

We are providing example Terraform files to both test and use as a baseline for your configurations.

Download

See the links to the Terraform Resources at the top of the page. Each option also includes the example files.

Usage

  1. Open a command line to the folder where the example file was unzipped.

  2. For the example, set the environment variables using the export command to your API keys. Otherwise, as noted in the API Keys section, create a secure process to transfer the API Keys from a secure location like a vault to the terraform deployment process.

  3. Edit the Terraform files if you wish to adjust the example.

  4. Run: terraform init

  5. Run terraform apply, verify that the resource is planned for creation, enter yes, and press Enter.

The "Enforce" CLI tool is available through our .

Make sure you install Terraform according to the instructions in the website.

You can verify the configuration was applied by and watching the objects in the Web UI.

Terraform registry
GitHub repository
Management API reference guide
GitHub repository
Terraform
browsing to Infinity Portal